Reconfiguration method for a sensor system comprising at least one set of observers for failure compensation and guaranteeing measured value quality

ABSTRACT

The invention relates to a reconfiguration method designed to be implemented in a computer system, for compensating failures of a sensor system ( 1 ). Said sensor system comprises at least one sensor ( 2, 50 ) for measuring ( 12, 22 ) system states of an application system ( 11, 21 ) and at least one system model ( 4 ) for describing the application system, which together form at least one first observer ( 6 ) for estimating system states in order to provide system states for an allocated data processing device ( 14, 24 ). According to the method, failure states for a first observer are determined from deviations, which occur as a result of the comparison between a number of states measured by the sensor or sensors and a state estimated by the system model.

[0001] The invention relates to a reconfiguration system provided forimplementation in a computer system for the compensation of failures ofa sensor system with at least one set of observers for the failurecompensation and assuring a measured value quality.

[0002] The invention relates particularly to a reconfiguration systemprovided for implementation in a computer system and to a respectivesensor system for the compensation of failures of the sensor system withat least two configurable observers, each of which comprises at leastone respective sensor for measuring of system states of an applicationsystem and at least one system model for describing the applicationsystem while forming at least one first observer for estimating ofsystem states in order to make system states available to an allocateddata processing unit, whereby failure states based on deviation valuesare ascertained for a first observer, said deviation values resultingfrom a comparing of a number of states measured by means of the at leastone senor with a state estimated by means of the system model.

[0003] German Patent Publication DE 36 38 131 A1 discloses a controlunit in which temperature threshold values are stored for two heatsensors. In case of a failure of one sensor that is in case of anon-tolerable deviation from a rated value, a replacement value is used.The replacement value is constant and identical for each operationalstate. The replacement value represents a difference value of thetemperatures relative to a normal state. The respective temperaturevalue is ascertained by means of a certain addition or subtraction.

[0004] German Patent Publication DE 197 05 766 C1 discloses a controldevice for an internal combustion engine. The control device comprisesdifferent sensors such as a pedal position sensor, an air mass meter ora temperature sensor. Furthermore, operational quantities such as anatmospheric pressure or an exhaust counter-pressure are ascertainedthrough a performance graph relationship or by an observer. Actuatorsare activated with the control values ascertained by the control device,each activator including an activator drive and an activating member.Activating members are provided in the form of a throttle flap, aninjection valve, a sparkplug or a change-over switch between twodifferent suction pipe lengths. A monitoring unit monitors at least onesensor. Different sensor values or estimated values thereof areascertained by means of the sensors and the observer. Derivative valuesare ascertained from the sensor or estimated values. When respectivepredetermined threshold values are exceeded, a conclusion is made inaccordance with a given scheme regarding the faultiness of certainsensors.

[0005] World Patent Publication WO 94/12948 A1 discloses a method and anapparatus for operating a neural network with missing and/or incompletedata. A decision processor is provided for monitoring an output control,whereby the output is either varied or prevented if the output of anuncertainty model exceeds a predetermined threshold value. A probabilityvalue for the reliability of the output is used as an input for thedecision processor. The probability value is ascertained during thetraining phase for a predetermined value range.

[0006] Sensor systems or measuring systems that are technicallyrealizable always have a deviation from an ideal system state. As longas these deviations do not impair the required, specified accuracy ofthe output information, one talks of errors or also of non-calibratableremainder errors. The meaning of the word “error” in this context doesnot connotate the implication that a status warranting correction isinvolved. Rather, an accepted “deviation” is involved. If thesedeviations impair the required specified accuracy of the outputinformation due to hardware defects that have occurred, softwaredefects, or due to shortcomings in the system modeling, then one speaksof “failures”.

[0007] A system is referred to as “failure tolerant” if it timelyrecognizes failures of internal components or internal failures whichcan lead to failures of the output information and if it prevents bysuitable measures or reconfiguration that the output information impairsthe required or specified accuracy.

[0008] Prior art observers are known for estimating the states whichoccur in processes or in the operation of technical systems. Suchobservers are, for example described in “Regelungstechnik” (Closed LoopControl Techniques) by O. Foellinger, 1994, Huethig GmbH on pages 405 to407. These observers constitute a combination of sensors for a partialor complete measuring of instantaneous states and of a system modelwhich describes as a function of time the characteristics of apredefined system for analytically ascertaining the status. An observerformed of sensors and the system model and constitutes a completedescription of the system up to the present, estimates hereby the systemstatus. Such an observer may generally be a Luenberger-observer, aKalman-filter, a neural network, or another conventional observermethod.

[0009] It is further known in the prior art to use an observer forfusing of sensor signals with a system model. Thereby, the observertakes into account the assumed accuracy of the system model and theassumed accuracy of the sensor signals in such a way that it fuses thesein a most optimal manner.

[0010] Since the system status is partially measured with at least onesensor it is possible to ascertain a failure status due to the deviationof the measured values from the expectation of the respective estimatedvalues of the system model. Following a comparing with threshold values,a failure status is present.

[0011] An optimal fusion of all sensor signals can be effected with theaid of a Kalman-filter while using a predetermined weighting. Weightingis accomplished in that in the system operation relatively imprecisesensor signals or system states of the system model are weighted lowerthan more precise sensor signals or system states of the system model.Thereby, certain accuracies of the sensors or of the system model areassumed. The mentioned fusion can, however, only then be optimal if theassumed accuracies of the sensor signals or of the system modelcorrespond to the actual accuracies of the sensor signals or of thesystem models. In case of a failure of a sensor signal or of a systemmodel, that is when the predetermined accuracy of one or more sensors orof the system models cannot be maintained, the observer keeps using thesensor signals or the system states of the system model now as before inthe original predetermined weighting. Thus, even if a sensor deliversimprecise signals, it will be weighted relatively strongly due to thepredesignation as a precise sensor or system status designated sensor incombination with the other sensors or system states. In this case theobserver no longer weighs the different signals in the optimum manner sothat overall the observer provides a solution that is less than optimal.This can lead to a substantial loss of accuracy in the output signals ofthe observer.

[0012] The described disadvantage applies to each observer methodaccording to the prior art and particularly for those usingKalman-filters.

[0013] A so-called observer or Kalman-filter bank has been developed onthe basis of the observer technique in order to recognize sensorfailures or system modeling failures and to remove these from thesystem. In such a bank a plurality of observers are used simultaneouslyand in parallel. Such a system is published in the Publication Bryson,A., Yu Chi, H., “Applied Optimal Control”, 1975 on the pages 388 and389. Thereby an observer referred to as main observer processes allsignal to be processed with a system model that has reference to asystem without any system defects. In contrast thereto, the otherobservers, so-called sub-observers, process a sub-selection of thesensor signals to be processed in combination with system models whichhave reference to different system defects. Which sub-observers are tobe used in an observer bank depends on which combination of sensordefects and system defects are to be considered.

[0014] Each observer of the observer bank ascertains for each sensormeasurement a so-called residue which constitutes the difference betweenthe measured sensor signal and the expected sensor signal that theobserver expects for this point of time through the system model. Thiscomparing of the residue with an expected value or accuracy of theresidue permits the determination of the probability density that thelast measurement corresponds to the system model of the observer. Ifthis probability density falls below a threshold value, this fact istreated as a failure. In order to recognize deviations that build upover time as a failure, as soon as they constitute a failure, the knownobserver bank takes into account, when it judges the probability densityof the residues, also all residues that occurred in the past. Theprobability density of all past measurements are determined with the aidof mathematical methods. In case of a detected failure, that is when theprobability density of past measurements in connection with the systemmodel fall below a probability threshold value, the observer bankswitches over to that sub-observer having at this time the highestprobability density.

[0015] It is a disadvantage of the known method that it functionsreliably only when failures occur that have been previously defined.

[0016] It is an object of the invention to provide a sensor system withat least one set of observers and a method for a reconfiguration of thesensor system by means of which an improved precision is achieved incase of a failure.

[0017] This object has been achieved by the features of claim 1. Furtherembodiments are defined in the dependent claims.

[0018] The reconfiguration method according to the invention is providedfor implementation in a computer system for compensating of failures ofa sensor system. The present system comprises at least one sensor formeasuring of system states of an application system and at least onesystem model for describing the application system while forming atleast one observer for estimating the system states in order to makethese system states available to an allocated data processing unit. Withthis method failure states are ascertained for an observer, i.e. in afirst combination of one sensor and one system model. These failurestates result from the comparing of a number of states measured by theat least one sensor with a state that has been estimated by the systemmodel. When a first threshold value of deviations is reached, at leastone further observer is initiated. The further observer is a furthercombination of a sensor and a system model. The further observer isinitiated by the system state measured by the first combination and anumber of deviations. Thereby, the system states ascertained by thefurther combination are transmitted to the data processing unit forfurther processing. This transmittal takes place as soon as the firstcombination reaches a second threshold value.

[0019] In connection with the reconfiguration method, the firstcombination can be initiated by the further combination and systemstates are transmitted to the data processing unit for furtherprocessing, as soon as the first combination falls below the firstthreshold value.

[0020] When the first observer exceeds the first threshold value, thatfurther observer can be selected which has the smallest deviations ofthe system states over a predetermined past time interval.Alternatively, the second observer can be selected in accordance with apredetermined sequence when the first observer exceeds the firstthreshold value.

[0021] It is an advantage of the method according to the invention or ofthe apparatus according to the invention that the observer bank, byswitching over to another observer configuration with a sub-quantity ofsensor signals does not reject the sensor signals that occurred prior tothe failure of the main observer that has now been recognized as beingdefective, since its signals prior to the failure have been sufficientlyaccurate. Thus, for example, all learning effects are not lost, such asthe estimating of sensor offsets or an increased accuracy of theobserver, which have been produced prior to the failure by the switchedoff sensor signal.

[0022] Contrary to the prior art no switch-over takes place to asub-observer in case of a failure, which sub-observer currently includesa correct system modeling with a system deviation, but did not correctlydescribe the system in the past because then the system deviation hadnot yet occurred.

[0023] By taking into account past values an unnecessary reduction inthe observer accuracy is avoided.

[0024] The solution according to the invention is also advantageousrelative to the accuracy that occurs after an internal failure.According to the invention the observer bank switches back to therespective observer if the deviation of the sensor or system modelrecognized as failed was so large prior to the recognition of thefailure, that it would still influence probability density calculationsperformed after the failure, that is, future probability densitycalculations. Thus, contrary to the prior art, the information of futurepossibly correct sensor signals of the sensor that has been classifiedas failed are not rejected. When a system deviation occurs the inventionswitches to the correct system model without system deviations whichalso leads to an improvement of the accuracy of the output signals.

[0025] Compared to the solution according to the invention, the methodaccording to the prior art can lead to a substantial loss of informationof the observer bank, taking into account effects that are relevant forthe past and including effects that are relevant for the future. This isso because a large proportion of correct sensor signals are rejected bythe prior art or it does not work with the system models that have beenrecognized as being correct.

[0026] In the following the invention will be described with referenceto the accompanying figures which show:

[0027]FIG. 1 a first example for the application of the sensor systemaccording to the invention or the method according to the invention,wherein the outer states or motion states of an application system areacquired by the sensor system;

[0028]FIG. 2 a second example for the use of the sensor system accordingto the invention or the method according to the invention, wherein innerstates or operational states of another application system are acquiredby the sensor system; and

[0029]FIG. 3 shows an observer bank provided in a sensor system, therebyshowing, for example an occurred internal failure and its systemtechnical treatment in timed steps k to k+11.

[0030] According to the invention there is provided a reconfigurationmethod for a sensor system 1. The sensor system 1 comprises severalsensors 2 for measuring of states of an application system and at leastone system model 4 for describing the application system 11, therebyforming at least one set of observers 6, in order to make availablestates 10 of the application system 11 by means of measured values for adata processing unit 14 allocated to the sensor system. Whereby failuresin the sensor system, deviations in the system modeling, or failures inthe application system are compensated by the reconfiguration andmeasured values having an optimal quality are made available. Therespectively used at least one system model 4 can be an analyticalmodel, that is, a model formulated by algorithms and/or it can be amodel described by lists and allocations. The sensor system 1 furthercomprises a calculating unit 8. Interfaces to application systems and toallocated data processing units 14 as well as system functions areimplemented in the calculator unit 8, for example for a timelypresentation of values of different functions of the sensor system 1.The reconfiguration method according to the invention can be implementedin the calculator unit 8 or at another position in the sensor system 1or in a unit outside of the sensor system 1.

[0031] Thus, the claimed method or system relates generally to a sensorsystem which determines states of an application system. Thereby, thesensor system may be provided for the general case of measuring stateswhich are indirectly caused by a system or an application system and ina second general case to measure states of the system or of theapplication system directly, that is to measure its operational states.

[0032] In a first case in which outer states 10 are measured by means ofthe sensor system 1 according to the invention and which is shown inFIG. 1, the application system 11 may, for example be a vehicle such asa land vehicle, a sea-going vehicle, or an airborne vehicle,particularly an aircraft or a robot. In connection with a vehicle theouter state may include the position or an attitude in space or a timederivation thereof. The measured values that have been measured by thesensor system 1 for the outer states are fused in the sensor system 1 inaccordance with the method of the invention. The measurement issymbolically designated by the reference character 12. The measuredvalues are fused by means of the at least one set of observers 6including sensors 2 and at least one system model 4 to form an optimizedstatus vector which is supplied for further use through a conductor 13to a data processing unit 14 allocated to the sensor system 1. The dataprocessing unit 14 may be a control system, an open loop control system,a closed loop control system, or a guidance system. The data processingunit 14 may particularly also be provided for the open loop control ofthe application system.

[0033] The sensor system 1 may be a navigation system and/or an attitudereference system. For example, in this application case the sensors areinertia sensors and the system model is a model that describes theresponse characteristic of the vehicle on the basis of open loop controlforces. In this case the system model is thus an analytical vehiclemodel. Further, the sensor system may be an air data system whichincludes the motion states, the velocity, the altitude, and thereference angle to the surrounding air. For example, the sensor systemaccording to the invention may also be provided for the acquisition, forexample of the position of a robot in space or the position and/ororientation of a robot arm.

[0034] The internal failures that are to be compensated by the methodaccording to the invention and that may occur thereby may relate

[0035] to the system model, particularly due to an inaccuratereproduction of the real vehicle characteristic or a systematic modelerror, or

[0036] to the sensors, for example due to failure or defect of one orseveral sensors.

[0037] In the second case illustrated in FIG. 2, the applicationaccording to the invention relates to a mechanical, chemical orelectrotechnical application system 21. In the second case internalstates or operational states 20 are to be measured by the sensor system1. The internal state of the application system 21 may be formed by adynamic process which in turn may be characterized mechanically,chemically, or electrotechnically. The measured values that have beenmeasured by the sensor system are indicted symbolically by the referencecharacter 22. These measured values are fused in accordance with themethod according to the invention to form an optimized status vector inthe sensor system by means of at least one set of observers 6constituted by sensors 2 and at least one model 4. The optimized statusvector is supplied through a conductor 23 to a data processing unit 24allocated to the sensor system 1 for further use. The data processingunit 24 may be a control system or an open loop control system.

[0038] An example for a mechanical system as a case of using theapplication system 11, is an adjusting system. The operational states ofthe adjusting system may be the position and/or the speed of aservo-valve, of an actuator or of pressures. The operational states tobe measured in a chemical application system may be reactiontemperatures, concentrations of materials reacting with each other,pressures, or generally intrinsic or extrinsic parameters orcharacteristics of any kind. In an electrical system the operationalstates to be measured may be currents, voltages, capacities, or alsomaterial or chemical characteristics.

[0039] The internal failures occurring in the second application caseshown in FIG. 2 and which are to be compensated by the method accordingto the invention may relate to:

[0040] the system model, particularly due to inaccuracies in thereproduction of the real vehicle characteristic or due to systematicmodel deviations, whereby the system model may be available analyticallyor as a set of data based on an aerodynamic, chemical, or other type ofcalibration,

[0041] the sensors, for example, due to failure or defect of one orseveral sensors, or

[0042] deviations of values of the process or of the apparatus fromrated values due to technical failures, for example due to a mechanicalfailure or due to a failed process control or electrical failures.

[0043] The arrangements comprising a sensor system and an applicationsystem shown in FIGS. 1 and 2 and their functional coordination may alsobe combined with each other. Thereby, particularly the sensor system maybe provided with sensor models, which acquire external states as well asoperational states. In such applications, however, sensor systems mayalso be coordinated so that one sensor system acquires external statesand another sensor system acquires operational states.

[0044] Summarizing, the reconfigurable sensor system according to theinvention is provided for the measurement of states, whereby anarrangement or data processing unit and a control or open loop controlarrangement is allocated to the sensor system. The acquired measuredvalues are to be supplied to the data processing unit for furtherprocessing. For this purpose the measured values must have the requiredintegrity and they must be available. Therefore, sensor failures andsystem model deviations must be compensated. In the respectiveapplications of the second case, an operational state must be controlledor controlled in open-loop fashion or in closed-loop fashion. Thereby,determination values of the respective operational states must beadditionally acquired with the best quality, availability, andintegrity.

[0045] All mentioned failures of all mentioned applications can becompensated according to the invention and the measured values can bemade available with an optimal quality. This is so because the decisionwhether a reconfiguration shall take place depends, according to theinvention, only on the deviations between sensor values and values ofthe respectively used system model that is, only the so-called residuesare considered. It is of no consequence whether the failures relate tothe sensors, to the system model, or, if applicable, to a further systemto be monitored.

[0046] The sensor system 1 according to the invention is a failuretolerant system to the extent that it can compensate for the mentionedtypes of failures that occur in the sensor system 1. However, the systemcan also be used as a failure recognition system or as a failuremonitoring system because the system can recognize failures of anexternal system which is the application system 11 or 21, which failuresmay have reference to outer states of an application system 10, forexample motion states in space or they may have reference to operationalstates of the application system 20. The recognition is based on thecomparing of the fusioned values with rated values. In the sensor system1 a combination of sensors and a system model cooperate in an observer.The sensors thereby have, particularly in the actual measuring unit,hardware components. A system model can only be realized by software.This arrangement estimates a system state and is in the position, whensensors fail, to supply to other functions a best possible estimation ofthe system state, said estimation having been ascertained by software.

[0047] Thus, types of failures can be taken into account, such as sensorhardware defects as well as software or system deviations. Thereby,attention must be paid that a deviation can grow until it becomes afailure because the method according to the invention performs in timedsteps. A deviation that occurred in a first timed step, continues in thefollowing timed step. The states or state values to be measured are timedependent so that the sensors acquire time dependent states.

[0048] The reconfiguration method according to the invention will bedescribed in the following with reference to FIG. 3 which showsschematically and with reference to an example of a navigation systemprovided for aircraft, sensors and the switch-over or reconfigurationmethod according to the invention for a sensor failure assumed as anexample.

[0049] The mechanism or the reconfiguration method can be adapted todifferent system models in that different sensor combinations 10 arereplaced in FIG. 3 by different system models. A combination of sensorcombinations and different system models is also possible.

[0050]FIG. 3 illustrates, row by row, the deviation states of severalsensors and sensor combinations of the sensor system 1. These deviationsare listed in column 50, for example for a navigation system. Thedeviation states are designated with the abbreviated name of therespectively provided sensors. The abbreviated names used in FIG. 3 are:LINS for laser inertial navigation system, GPS for global positioningsystem, and TRN for terrain reference navigation system. The signalscoming from these sensors or sensor combinations stand ready for the atleast one set of observers 6. Thereby, the observers 6 are referred toas main observers if their values are used in the data processing unit14 or 24 or as sub-observers if their values are not used in the dataprocessing unit 14 or 24. Thereby, in the illustrated embodiment and forthe illustrated output status the main observer (line 61) receives thesensor signals of a LINS (Laser Inertial Navigation System), of a GPS(Global Positioning System) and of a TRN (Terrain Reference Navigation).

[0051] The example shown in FIG. 3 of a sensor related portion of anavigation system shows the sensor system states and the correspondingfailure status or failure state 51 of a main observer and of severalsub-observers, respectively, in a plurality of timed steps k to k+11following one another. In the shown example observers are used for thefusion of the sensors with the system model. In this case the term“system state” means the complete current description of the respectivesystem, i.e. the values of all important magnitudes ascertained throughthe observer in an actual time step. In order to show the timed sequenceon the one hand and the simultaneous occurrence of these characteristicson the other hand, these characteristics are arranged in lines 61, 62,63, 64, 65 and 66 and in columns k to k+11. The columns k to k+11symbolize the illustrated timed steps while filters activated in therespective timed steps are shown in the lines 61, 62, 63, 63, 64, 65 and66. Thereby, the main observer or the first observer is shown in line61, while the sub-observers or further observers available for use areillustrated in lines 62, 63, 64, 65 and 66. Thereby, the observers whichmake the values available for allocated data processing units 14 or 24are illustrated with dot-filled blocks. These observers are respectivelyactive at a timed step. The observer whose values are not used during atimed step which, briefly stated, are inactive, are illustrated bygray-filled blocks.

[0052] Several observers that are active during a timed step aredesignated as an observer bank. The observers or rather main observersor sub-observers and the allocated system models themselves are notshown in FIG. 3. Rather, only the sensors or sensor combinations listedin column 50 which are connected to system models and which belong tocertain observers are shown. These allocations are dependent on theindividual case and application and are to be determined in accordancewith known criteria such as accuracy, available technologies and soforth, and according to layout methods. Thus, the system statestransmitted to the respective data processing unit are respectivelyascertained by a combination of at least one sensor for measuring ofsystem states of an application system and by at least one system modelfor describing the application system while forming at least one set ofobservers for estimating system states. Such combinations will bereferred to in the following briefly as combination.

[0053] The main observer or first observer and the sub-observer orfurther observers use as actual sensor signals the signals fromdifferent sensors 50. Thereby, the main observer is formed of apredetermined combination including at least one sensor and at least onesystem model not shown in FIG. 3. Thereby, the main observer or firstobserver uses the signals, preferably of a maximum number or of a firstselection of observers, in order to have an accuracy and measuringquality as high as possible, while the sub-observers or furtherobservers use the signals of a sub-combination of this maximum number orof the first selection of sensors. The system models used thereby may bedifferent system models.

[0054] The sensors of the embodiment shown in FIG. 3 as an example areprovided for a navigation system. Other sensors and thus main observersand sub-observers come into consideration for other navigation systemsas well as sensor systems which are provided for other applications,FIGS. 1 and 2. The mechanism can also be adapted for different systemmodels in that the various sensor combinations 10 are replaced bydifferent system models. Further, a combination of sensor combinationsand different system models is also possible.

[0055]FIG. 3 shows the timed sequence, as an example, in twelve steps inwhich a failure in the sensor signals has been recognized. Theillustration of FIG. 3 shows how the sensor system behaves during thetime in which the internal failure is present and how the systemthereafter is reconfigured. Thereby, the shown timed steps k to k+11represent only one section of an entire timed function procession. InFIG. 3 the first timed step is designated by the cipher k and the secondtimed step is designated by the cipher k+1. Further timed steps are notshown in this figure and are passed over up to the eleventh timed stepdesignated as k+10. Concluding the timed step k+11 is shown in which thesensor system has reached again the starting status in the shownexample.

[0056] The blocks 51 symbolize the sensor system states and the failurestates of the observers or filters in each timed step and the failurestatus is described by one respective probability magnitude. Thismagnitude makes a statement with which probability the system model ofthe block has produced correct measurements. The probability isascertained on the basis of a predetermined number n of latestmeasurements. The probability magnitude can be produced advantageouslyfrom the significance. The significance a of the latest n-measurementscan be determined with the aid of the x²(α, n)-function, specifically orparticularly in accordance with a Gauss-method, or a rectangle method,or a Voter-Monitor-method and the past n residues. This function can,for example be taken from the book “Pocketbook of Mathematics” byBronstein, 25^(th) Edition 1991, page 680. Hence, according to theinvention a failure is searched for only in the last n measurements.Hence, a sensor failure or system failure does not play any role in thecurrent failure status if it occurred prior to the last n timed steps.Contrary thereto in the known methods in which the deviation states orresidues of all past timed steps are taken into account, the sensorsignals or the system model which are already again deviation free,could possible still be evaluated as failed so that the entire system isdegraded.

[0057] Instead of the significance, the probability density of thelatest n measurements can be used for ascertaining the failed status.The ascertaining of the probability density is described in the printedpublication Bryson, A., Yu-Chi, H., “Applied Optical Control”, 1975,pages 388 to 389. The ascertaining can be adapted to n measurements.Further, a confidence estimate of the system status over the last nmeasurements can be used to ascertain a failure status. The confidenceestimate is a check whether the system state moves with a predeterminedprobability within predetermined limits. The methodology of theconfidence estimate is described, for example in the “Pocketbook ofMathematics”, Bronstein, 25^(th) Edition, 1991, pages 684 to 686. It isalso conceivable that further failure recognition methods can be usedsuch as, for example, a hypothesis test.

[0058] Thus, according to the invention a deviation measure number andpreferably a probability magnitude or characteristic number is used fordetermining the failure status. Thereby, it is the essential criteriumthat the failure recognition is referenced to a predetermined intervalof n measurements. This interval represents the time delay with which afailure is recognized. The predetermined number of measurements forascertaining the failure status according to the invention may bevariable or it may be adjustable in dependency, for example of anoperational status of the sensor system or also of the applicationsystem or it may depend on the application case. An adjustment of thenumber n can also take place automatically. For example, in relativelycritical operational states the number n may be selected to berelatively small compared to non-critical operational states.

[0059] According to the invention two limits or threshold values aredefined for the evaluation of the failure status. With these limits orthreshold values the failure status or failure state of the respectiveobserver to which the failure status has been allocated, is evaluated,i.e. the main observer or the sub-observer of the first or furtherobservers is evaluated. A first threshold value or diagnosis thresholdvalue relates to whether in the respective observer a significantdeviation can build up. A second threshold value or failure thresholdvalue determines whether the respective observer is evaluated as failed.

[0060] In the illustration of the FIG. 3 failure states that are within,i.e. below the first threshold value are designated with “a”. Thesefailure states relate to observers or combinations that are free offailure and in which no deviation can build up slowly. Observers orcombinations whose failure states lie within the area between the firstand the second threshold value are designated with “b”. Further,observers with a failure state which is above the two limits, aredesignated in FIG. 3 with “c” and are checkmarked with a cross. Anobserver with such a failure state is classified as failed. In thisconnection the buildup of a deviation designates the increasing of aninitially small deviation over a plurality of timed steps.

[0061] According to the invention the sensor fusion works on the basisof a first combination of at least one sensor and one system model aslong as the failure status lies there within the range designated with aor b. The first combination of at least one sensor and one observer isreferred to in the following simply as combination. Thereby, this firstcombination may also be a combination of at least one sensor and onesystem model to which the reconfiguration method has already switchedover from the main observer. Stated differently the first observer orthe first combination must not be the main observer or the maincombination or the combination with the main observer. The system statesascertained by the first combination are transmitted to the dataprocessing unit 14, 24. Further, the observer bank or a furthercombination with a respective observer always returns to this firstcombination when this first combination reaches from another range tothe range “a” or “b”, that is the deviations of past states are smallerthan the first or second threshold value. When the first combination orthe respective active combination is within the “a” or “b” range thesystem state thereof is transmitted outwardly to the data processingunit 14, 24, that is the values calculated by the system state aretransmitted. The first or also the second threshold value can be takenas a quality criterium of the ascertained sensor value or of the usedsensors or system models. These values can also be interpreted as anaccuracy limit which must satisfy the system status.

[0062] In the example shown in FIG. 3 the failure status of a firstcombination including at least one sensor and one observer, reaches thevalue b in the timed step k+1. Thus, the failure status lies between thefirst and the second limit, i.e. between the diagnosis threshold valueand the failure threshold value. The sensor fusion system according tothe invention interprets this occurrence as a possibility for the factthat a significant deviation could build up in the first combination orin the momentary main combination. At this point of time, i.e. followingthe exceeding of the diagnosis threshold value the observer bank isactivated, that is, further available combinations of at least onesensor and at least one observer. This activation is accomplished inthat a selection or all further combinations including at least onesensor and at least one observer, namely further observers orsub-observers are activated and initiated by the first combination.Initiation has reference to one and preferably to all system states andto the past residues n−1 which are significant for the determination offuture failure states and which are used by the activated observers. Atthe point of time k+1 however, only one initialization and theactivation is performed. However, now as before, the system status thathas been ascertained by the main observer and not by a sub-observer, istransmitted to the data processing unit 14, 24.

[0063] An activation of a further combination and thus a deactivation ofthe first combination with a main or first observer takes placeaccording to the invention only then when the failure status of thefirst observer exceeds the second threshold value. This takes place inFIG. 1 at the point of time k+10 at which the first combination has afailure status “c”. At such an occurrence a further combination 32including at least one sensor and at least one observer is activated,wherein the observer has at least one predetermined failure status atthis point of time. Preferably, the predetermined failure status is themost advantageous of the still available combinations.

[0064] In case a total of only two combinations or only one furthercombination are available, only the activation of the second combinationcan take place. If the failure status of the second combination itselfis above the second threshold value, the sensor system is classified asfailed and a respective defect message is generated. In case thatseveral further combinations are available after the first combinationhas exceeded the second threshold value, the selection of thecombination to be activated can take place in accordance with apredetermined sequence or the selection can take place based on whichcombination at a predetermined point of time has the best failurestatus. This point of time can be the point of time when the secondthreshold value is exceeded by the respective first combination or itmay be another point of time, for example, the conclusion of apredetermined time interval following this point of time.

[0065] In the example shown in FIG. 3 this is the observer or thesub-observer which uses the signals of the LINS and TRN. Thus, in thissituation a GPS sensor failure has been recognized. In case nosub-observer had a failure status of “a” or “b” the highly unlikely casehad occurred that all sensors GPS, LINS and TRN have failed and thus,the entire observer bank or all combinations of at least one sensor andone observer would be defective. Thus, a warning can be providedoutwardly to the effect that the output of the observer bank has failedand thus the integrity of the output signal cannot be warranted.

[0066] Then, in the next timed step, the main observer is reinitiated bythe LINS/TRN observer, more specifically, the present system status andthe past n−1 residues or the probability indicators of the main observerare overwritten with the values of the sub-observer that works on thebasis of LINS and TRN or by the residues which the LINS/TRN observer hasreceived at its initialization. In this example then the ascertainedfailure status of the main observer has the value “a” and thus it isassumed that no deviation can build itself up in the main observer whichexceeds the required or specified accuracy. Therefore, the observer bankis deactivated. If the main observer would have a failure status b, thiswould lead to a new activation of the observer bank in the step k+11. Inthis case the remaining sub-observers would be initiated in the stepk+11 by the values of the LINS/TRN sub-observer. In case the mainobserver had a failure status “c” then, immediately after the activationof the observer bank, a switch-over to the best sub-observer with thefailure status a or b would be performed. As in the timed step k+10 italso is true that in case no sub-observer has a failure status of “a” or“b”, the highly unlikely case has occurred that all sensor GPS, LINS andTRN have failed and thus the entire observer bank would have failed.Thus, a warning could be provided externally, which warning indicatesthat the output of the observer bank has failed and thus the integrityof the output signal cannot be warranted.

[0067] Thus, with the method according to the invention it is achievedthat even if temporary sensor failures or system model defects occur,correct sensor signals or system models prior to and after the sensordefect or system defect are not rejected. Correct sensor signals orsystem models prior to the internal failure are used because prior tothe internal failure the operation is always based on the main filter.Since the observer bank switches over to the main observer as soon asthe probability indicators or residues of the last “n” timed step resultin a failure status “a” or “b”, correct sensor signals and system modelsare used after the internal failure.

[0068] The past n−1 residues of the main observer that has beenclassified as failed, are overwritten with the residues of thatsub-observer which, at the time has the best probability indicator.Therefore, the determination of the failure status always has referenceto a predetermined number n of latest observer residues that have beenconsidered to be correct.

[0069] It is essential to the method according to the invention that forascertaining the failure status only an absolute deviation is used. Theabsolute deviation is based on a timed sequence of sensor valuesdeviating from values that have been ascertained by means of at leastone system model. Thereby, failures which are to be allocated to thesensoric, including hardware as well as software, and deviations whichare to be allocated to the system model, become recognizable.

[0070] The method according to the invention can be applied to anyobserver based sensor system, whereby the sensors mentioned in thedescribed example embodiment, that is LINS, GPS and TRN can be replacedby other sensors, sensor combinations, and system models. Examples forsuch areas of application have been shown in FIGS. 1 and 2.

1-16. (canceled)
 17. A reconfiguration method for implementation in acomputer system for compensating failures of a sensor system (1) with atleast two observers, each observer being formed by at least one sensor(2, 50) for measuring (12, 22) system states of an application system(11, 21) and by at least one system model (4) for estimating of systemstates of the application system, in order to make system states with apredetermined reliability available to an allocated data processing unit(14, 24), said method comprising the following steps: (a) ascertainingfailure states based on time related deviation values for a firstobserver by comparing of a number of states measured by said at leastone sensor, with a state estimated by said at least one system model,(b) initiating at least one further observer in response to the reachingof a first threshold level of said deviations, said further observerhaving a number of past time steps for determining a failure status ofthe further observer, and (c) transmitting the system states ascertainedby the further observer to the data processing unit (14, 24) for furtherprocessing, as soon as the first observer has reached a second thresholdvalue.
 18. The reconfiguration method of claim 17, wherein, in responseto the first observer exceeding the first threshold value, that furtherobserver is selected which has the smallest deviations of the systemstates over a predetermined past time interval.
 19. The reconfigurationmethod of claim 17, further comprising selecting a further observer inaccordance with a predetermined sequence, when the first observerexceeds the first threshold value.
 20. The reconfiguration method ofclaim 17, wherein the first combination is initiated by the furthercombination and sending system states for further processing to the dataprocessing unit (14, 24) as soon as the first combination falls belowthe first threshold value.
 21. The reconfiguration method of claim 17,comprising ascertaining the deviations by means of a confidenceestimate.
 22. The reconfiguration method of claim 21, comprisingperforming the confidence estimate by means of a Gauss-method or aquadrilateral method.
 23. A sensor system for the determination ofexternal states of an application system (11), said sensor systemcomprising an allocated data processing unit (14) for receiving saidexternal states, at least two observers (6) with at least one respectivesensor (2) and at least one respective system model representing theapplication system (11), said sensor system being adapted for performingfunctions in accordance with the method steps (a), (b) and (c) asdefined in claim
 17. 24. The sensor system of claim 23, wherein saidapplication system is a vehicle.
 25. The sensor system of claim 24,wherein a position or an attitude of the vehicle in space is used as anexternal state.
 26. The sensor system of claim 23, wherein said sensorsystem is an air data system.
 27. A sensor system for the determinationof operational states of an application system (21), said sensor systemcomprising an allocated data processing unit (24) for receiving saidoperational states, and at least one set of observers (6) with at leastone sensor (2) and a system model representing the application system(11), said sensor system being adapted for performing functions inaccordance with the method steps of claim
 17. 28. The sensor system ofclaim 27, wherein the application system is a control system and whereinthe operational states are a position and/or a speed of a servo-valve orof an actuator.
 29. The sensor system of claim 27, wherein theapplication system is a control system and wherein the operationalstates are pressures.
 30. The sensor system of claim 27, wherein theapplication system is a chemical system and the operational states are areaction temperature, a concentration of materials reacting with eachother, or pressures.
 31. The sensor system of claim 27, wherein theapplication system is an electrical system and the operational statesare currents, voltages, capacities or material characteristics.
 32. Thesensor system of claim 23, wherein said data processing unit (14) is amonitor.
 33. The sensor system of claim 27, wherein said data processingunit (24) is a monitor.